According to a person close to the investigation, more than 60 million credit card numbers may have been stolen from Home Depot’s payment system. Comparatively, hackers stole data for over 40 million cards from Target’s system following a three-week attack during the busy Black Friday shopping season.

However, the breach at Home Depot went undetected for a much longer period of time – from April to early last week – affecting all customers that have shopped in a retail store in the U.S. or Canada (more than 2,250 locations, 400 more than affected Target stores) and paid with a debit or credit card.

HomeDepot.com has not been hacked, and PINs for debit cards have not been stolen, a Home Depot spokesperson revealed.

It’s still not clear who performed the data heist, but it’s believed the same group that attacked Target and other retail chains earlier this year may be responsible for the Home Depot breach as well. Apparently, the group is based in Eastern Europe, and the attacks might be related to the Ukraine crisis.

Meanwhile, Home Depot will offer free identity protection and credit monitoring services to any customer that had used a credit or debit card at one of its affected stores.